5f30e8481df588162531103d3930faa6dcd927e6ec8cb5b187dbe258bdaab903

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921667ca5f3ee1cff03b17421af6ef11.pdf
Size

68KB
MD5

921667ca5f3ee1cff03b17421af6ef11
SHA1

b2811bc4069f1e5b69f9bc8086fe4f561d1172c6
SHA256

5f30e8481df588162531103d3930faa6dcd927e6ec8cb5b187dbe258bdaab903
SHA512

8aad0a06f9277fc08ea4cd8cd34b818ae02493c247609a92b00a109edb4758c298146fd6f989d9acf5548ded1d675bd3523d4acde3deca43b21090082e943a60
SSDEEP

1536:vV6AmalQEDh2BDkkNQhqA+9nvHMxlfRPpuuLtZTZ5aq115q:JwNRXA+1HQBpFLHZ5/q

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe
2288	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 524	2288	AcroRd32.exe	94
PID 2288 wrote to memory of 524	2288	AcroRd32.exe	94
PID 2288 wrote to memory of 524	2288	AcroRd32.exe	94
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2432	524	RdrCEF.exe	96
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95
PID 524 wrote to memory of 2564	524	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\921667ca5f3ee1cff03b17421af6ef11.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1CEC1DB607373151EF35A832DAC939AB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1CEC1DB607373151EF35A832DAC939AB --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2564
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEE516E18A4C7C3CD6FD1EFBDC68868D --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2432
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1096EF0732C3360C2C9055A6976FB73D --mojo-platform-channel-handle=2268 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1276
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=241F15091FB983CA9B7870D2B9444EC6 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C4B8A3BD9420AA59993B5FEBD99DEB0 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
5KB

MD5
66dcf6929fa8cf588cb6fd145bb511a6

SHA1
37a457eccd90bf3650abcfe26a21e2ff48daabb3

SHA256
9ff9925d367ca9b25295c187f9c3ed1c65b5f4da3e2959b346334800e7159dfb

SHA512
71e652a5da4a2106e6690b5baad78579b1b6d8d2cfdc778e75aea3a4a6029b3f7da6fc80ed83342b58b7e271c7bc481a1d3977cf9dba7a775a8d9ba42d40cb5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
9KB

MD5
26249894e8fc23e7bbffbde5af3e45ba

SHA1
89d11eea9399e103293108c290070ca78a9a87de

SHA256
6eeae70097bfa6f483a53c2218b80ae381370ff387d19bdd932322d1154b8e2b

SHA512
d9dad63f1f1d5e9009cee594bfca0959bf4db08007cd4c700dafecbd5be8e446f17194b092b89494b3e2332881f16111b0161f2bce5d7f60610f1237e7bc04cc

Download Submit